CAN-2004-1171: plain text password exposure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdelibs (Debian) |
Fix Released
|
Unknown
|
|||
kdelibs (Ubuntu) |
Fix Released
|
High
|
Andreas Mueller |
Bug Description
Automatically imported from Debian bug report #285126 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:45:15 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1171: plain text password exposure
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: kdelibs, kdebase
Version: 3.3.2
Tags: security, patch
Severity: serious
CAN-2004-1171 is about a security hole in KDE that allows for possible
passoword leakage:
KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1)
manually entered by the user or (2) created by the SMB protocol handler, =
stores
those credentials for in plaintext in the user's .desktop file, which may=
be
created with world-readable permissions, which could allow local users to
obtain usernames and passwords for remote resources such as SMB shares.
Note that this will need to be fixed in both the version in unstable
and the older version in testing via t-p-u. This page has details of the
hole and links to patches for all recent versions of KDE:
http://
--=20
see shy jo
--zYM0uCDKw75PZbzx
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBufzKd8H
tHTYFM4JJq9i7f6
=usXq
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZ
In Debian Bug tracker #285126, Dato Simó (dato) wrote : Re: Bug#285126: CAN-2004-1171: plain text password exposure | #3 |
* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious
> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:
I've prepared kdelibs and kdebase uploads for this. I'm now looking
for somebody to upload them for me.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: The Beatles - Get back
When it is not necessary to make a decision, it is necessary not to make
a decision.
In Debian Bug tracker #285126, Joey Hess (joeyh) wrote : | #4 |
Adeodato Simó wrote:
> I've prepared kdelibs and kdebase uploads for this. I'm now looking
> for somebody to upload them for me.
Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
KDE maintenance.) If so, I can do the sponsoring.
--
see shy jo
In Debian Bug tracker #285126, Dato Simó (dato) wrote : | #5 |
* Joey Hess [Fri, 10 Dec 2004 17:38:29 -0500]:
> Adeodato Simó wrote:
> > I've prepared kdelibs and kdebase uploads for this. I'm now looking
> > for somebody to upload them for me.
> Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
> KDE maintenance.) If so, I can do the sponsoring.
let's say I'm becoming an habitual. as for sponsoring, I just talked
to Riku Voipio and he'll be reviewing and uploading tomorrow, is that
ok with you?
in any case, thanks for your offer.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: Oasis - Hello
Everything you read in newspapers is absolutely true, except for that
rare story of which you happen to have first-hand knowledge.
-- Erwin Knoll
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 23:02:47 +0100
From: Adeodato =?iso-8859-
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure
* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious
> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:
I've prepared kdelibs and kdebase uploads for this. I'm now looking
for somebody to upload them for me.
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: The Beatles - Get back
When it is not necessary to make a decision, it is necessary not to make
a decision.
Debian Bug Importer (debzilla) wrote : | #7 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 17:38:29 -0500
From: Joey Hess <email address hidden>
To: Adeodato =?iso-8859-
Cc: <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure
--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Adeodato Sim=F3 wrote:
> I've prepared kdelibs and kdebase uploads for this. I'm now looking
> for somebody to upload them for me.
Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
KDE maintenance.) If so, I can do the sponsoring.
--=20
see shy jo
--7AUc2qLy4jB3hD7Z
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBuiVkd8H
nOoEgmPBO5k5jvV
=WeGX
-----END PGP SIGNATURE-----
--7AUc2qLy4jB3h
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 23:42:22 +0100
From: Adeodato =?iso-8859-
To: Joey Hess <email address hidden>, <email address hidden>
Cc: Riku Voipio <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure
* Joey Hess [Fri, 10 Dec 2004 17:38:29 -0500]:
> Adeodato Sim�ote:
> > I've prepared kdelibs and kdebase uploads for this. I'm now looking
> > for somebody to upload them for me.
> Are you one of the normal KDE maintainers? (Sorry, I'm not up-to-date on
> KDE maintenance.) If so, I can do the sponsoring.
let's say I'm becoming an habitual. as for sponsoring, I just talked
to Riku Voipio and he'll be reviewing and uploading tomorrow, is that
ok with you?
in any case, thanks for your offer.
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: Oasis - Hello
Everything you read in newspapers is absolutely true, except for that
rare story of which you happen to have first-hand knowledge.
-- Erwin Knoll
In Debian Bug tracker #285126, Dato Simó (dato) wrote : | #9 |
tag 285126 sarge
stop here
* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious
> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:
hi,
kdelibs 3.3.1-2 and kdebase 3.3.1-3 have been uploaded to sid,
fixing the problem.
there is no 3.2 upload to t-p-u planned, since the KDE 3.3 testing
transition has now RMs' approval and we're putting our efforts in it
happening soon.
thanks,
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
The pure and simple truth is rarely pure and never simple.
-- Oscar Wilde
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Sat, 11 Dec 2004 20:59:27 +0100
From: Adeodato =?iso-8859-
To: Joey Hess <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#285126: CAN-2004-1171: plain text password exposure
tag 285126 sarge
stop here
* Joey Hess [Fri, 10 Dec 2004 14:45:15 -0500]:
> Package: kdelibs, kdebase
> Version: 3.3.2
> Tags: security, patch
> Severity: serious
> CAN-2004-1171 is about a security hole in KDE that allows for possible
> passoword leakage:
hi,
kdelibs 3.3.1-2 and kdebase 3.3.1-3 have been uploaded to sid,
fixing the problem.
there is no 3.2 upload to t-p-u planned, since the KDE 3.3 testing
transition has now RMs' approval and we're putting our efforts in it
happening soon.
thanks,
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
The pure and simple truth is rarely pure and never simple.
-- Oscar Wilde
Andreas Mueller (amu) wrote : | #11 |
the bugs are already solved in the current warty and hoary version.
Cheers
amu
In Debian Bug tracker #285126, coldtobi (tobi-coldtobi) wrote : kdelibs: Is this buf fixed? (And can be closed?) | #12 |
Package: kdelibs
Version: 4:3.3.1-4
Followup-For: Bug #285126
Again, sorry for nagging:
I read the changelog of kdelibs and kdebase and found out, that the bug
should be resolved...
Here the changelog-snips (shortened):
kdebase (4:3.3.1-3) unstable; urgency=medium
* Include patch to fix CAN-2004-1171 ("plain text password exposure").
Closes half of #285126.
-- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
+0100
kdelibs (4:3.3.1-2) unstable; urgency=medium
* Include patch to fix CAN-2004-1171 ("plain text password exposure").
Closes half of #285126. Notes about the patches:
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=
Versions of packages kdelibs depends on:
ii kdelibs-bin 4:3.3.1-4 KDE core binaries
ii kdelibs-data 4:3.3.1-4 KDE core shared data
ii kdelibs4 4:3.3.1-4 KDE core libraries
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #13 |
Message-Id: <email address hidden>
Date: Mon, 03 Jan 2005 17:58:04 +0100
From: coldtobi <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: kdelibs: Is this buf fixed? (And can be closed?)
Package: kdelibs
Version: 4:3.3.1-4
Followup-For: Bug #285126
Again, sorry for nagging:
I read the changelog of kdelibs and kdebase and found out, that the bug
should be resolved...
Here the changelog-snips (shortened):
kdebase (4:3.3.1-3) unstable; urgency=medium
* Include patch to fix CAN-2004-1171 ("plain text password exposure").
Closes half of #285126.
-- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
+0100
kdelibs (4:3.3.1-2) unstable; urgency=medium
* Include patch to fix CAN-2004-1171 ("plain text password exposure").
Closes half of #285126. Notes about the patches:
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=
Versions of packages kdelibs depends on:
ii kdelibs-bin 4:3.3.1-4 KDE core binaries
ii kdelibs-data 4:3.3.1-4 KDE core shared data
ii kdelibs4 4:3.3.1-4 KDE core libraries
-- no debconf information
In Debian Bug tracker #285126, Dato Simó (dato) wrote : Re: Bug#286510: kdelibs: Is bug resolved and can be closed? | #14 |
* coldtobi [Mon, 03 Jan 2005 17:51:42 +0100]:
> So maybe this bug can be closed, and make the path a little more free
> for the testing scripts?
> --- snip of changelog kdelibs --
> kdelibs (4:3.3.1-3) unstable; urgency=high
> * Added patch to fix half of Konqueror Window Injection
> * Vulnerability
> CAN-2004-115. kdebase upload will fix the rest.
> -- Riku Voipio <email address hidden> Mon, 13 Dec 2004 18:53:21 +0000
> --- end of snip ---
> kdebase (4:3.3.1-3) unstable; urgency=medium
> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126.
> -- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
> +0100
> kdelibs (4:3.3.1-2) unstable; urgency=medium
> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126. Notes about the patches:
in all cases, the bug remains open because sarge is still vulnerable.
in all cases, the bug has the 'sarge' tag set, so they don't affect
the tranisition to sarge. these bugs will be closed as soon as KDE 3.3
enters testing, which should happen durin this week.
thanks for caring, anyway.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: David Bowie - If I'm dreaming my life
Faced with the choice between changing one's mind and proving that there
is no need to do so, almost everyone gets busy with the proof.
-- J.K. Galbraith
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 18:55:25 +0100
From: Adeodato =?iso-8859-
To: coldtobi <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: Bug#286510: kdelibs: Is bug resolved and can be closed?
* coldtobi [Mon, 03 Jan 2005 17:51:42 +0100]:
> So maybe this bug can be closed, and make the path a little more free
> for the testing scripts?
> --- snip of changelog kdelibs --
> kdelibs (4:3.3.1-3) unstable; urgency=high
> * Added patch to fix half of Konqueror Window Injection
> * Vulnerability
> CAN-2004-115. kdebase upload will fix the rest.
> -- Riku Voipio <email address hidden> Mon, 13 Dec 2004 18:53:21 +0000
> --- end of snip ---
> kdebase (4:3.3.1-3) unstable; urgency=medium
> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126.
> -- Adeodato Simó <email address hidden> Fri, 10 Dec 2004 22:28:25
> +0100
> kdelibs (4:3.3.1-2) unstable; urgency=medium
> * Include patch to fix CAN-2004-1171 ("plain text password exposure").
> Closes half of #285126. Notes about the patches:
in all cases, the bug remains open because sarge is still vulnerable.
in all cases, the bug has the 'sarge' tag set, so they don't affect
the tranisition to sarge. these bugs will be closed as soon as KDE 3.3
enters testing, which should happen durin this week.
thanks for caring, anyway.
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: David Bowie - If I'm dreaming my life
Faced with the choice between changing one's mind and proving that there
is no need to do so, almost everyone gets busy with the proof.
-- J.K. Galbraith
In Debian Bug tracker #285126, Steve Langasek (vorlon) wrote : KDE 3.3.1 in sarge, closes many RC bugs | #16 |
tags 285126 -sarge
tags 271256 -sarge
tags 285126 -sarge
tags 252670 -sarge
tags 278173 +sid
tags 253701 -sarge
tags 247243 -sarge
thanks
KDE 3.3 has been accepted into testing and should be visible from the
mirrors starting tomorrow. I believe all of these RC bugs can therefore be
closed.
Many thanks to the KDE team for their efforts in making this happen, and to
Anthony Towns for handholding britney through the transition.
--
Steve Langasek
postmodern programmer
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 21:59:38 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>,
<email address hidden>, <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: KDE 3.3.1 in sarge, closes many RC bugs
--m1UC1K4AOz1Ywdkx
Content-Type: text/plain; charset=us-ascii
Content-
Content-
tags 285126 -sarge
tags 271256 -sarge
tags 285126 -sarge
tags 252670 -sarge
tags 278173 +sid
tags 253701 -sarge
tags 247243 -sarge
thanks
KDE 3.3 has been accepted into testing and should be visible from the
mirrors starting tomorrow. I believe all of these RC bugs can therefore be
closed.
Many thanks to the KDE team for their efforts in making this happen, and to
Anthony Towns for handholding britney through the transition.
--=20
Steve Langasek
postmodern programmer
--m1UC1K4AOz1Ywdkx
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFB2jDGKN6
9IlwTEOC5hGQTBo
=GV3v
-----END PGP SIGNATURE-----
--m1UC1K4AOz1Yw
Changed in kdelibs: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #285126 http:// bugs.debian. org/285126